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Abstract. We investigate the impact of spontaneous movement in the 
complexity of verification problems for an automata-based protocol model 
of networks with selective broadcast communication. We first consider 
reachability of an error state and show that parameterized verification 
is decidable with polynomial complexity. We then move to richer queries 
and show how the complexity changes when considering properties with 
negation or cardinality constraints. 

1 Introduction 

Selective broadcast communication is often used in networks in which individual 
nodes have no precise information about the underlying connection topology (e.g. 
ad hoc wireless networks). As shown in |13I10I11I16I17I4| . this type of commu- 
nication can naturally be specified in models in which a network configuration 
is represented as a graph and in which individual nodes run an instance of a 
given protocol specification. A protocol typically specifies a sequence of control 
states in which a node can send a message (emitter role), wait for a message 
(receiver role), or perform an update of its internal state. Selective broadcast 
communication is modeled as a simultaneous update of the state of the emitter 
node and of the states of its neighbors. 

Already at this level of abstraction, verification of protocols with selective 
broadcast communication turns out to be a very difficult task. A formal account 
of this problem is given in |3I4) . where the control state reachability problem is 
proved to be undecidable in an automata-based protocol model in which con- 
figurations are arbitrary graphs. The control state reachability problem consists 
in verifying the existence of an initial network configuration (with unknown size 
and topology) that may evolve into a configuration in which at least one node 
is in a given control state. If such a control state represents a protocol error, 
then this problem naturally expresses (the complement of) a safety verification 
task in a setting in which nodes have no information a priori about the size and 
connection topology of the underlying network. 

In presence of spontaneous movement, i.e., non-deterministic reconfigurations 
of the network during an execution, control state reachability becomes decidable 



[3]. In this paper we focus on the complexity of different types of parameterized 
reachabihty problems in presence of spontaneous movement. More precisely, we 
consider reachability queries defined over assertions that: (PRP) check the pres- 
ence or absence of control states in a given configuration generated by an initial 
configuration of arbitrary size, and (CRP) cardinality queries that check the 
exact number of occurrences of control states in a reachable configuration (the 
counterpart of classical reachability). The first and the second problem require, 
at least in principle, the exploration of an infinite-state space. Indeed they are 
formulated for arbitrary initial configurations. The latter is inherently finite- 
state. Despite of it, we first show that reachability queries for constraints that 
only check for the presence of a control state can be checked in polynomial time. 
When considering both constraints for checking presence and absence of con- 
trol states the problem turns out to be NP-complete. Finally, we show that the 
problem becomes PSPACE-complete for cardinality queries. 

Related Work. Perfect synchronous semantics for broadcast communication 
have been proposed in [1411611715] . Semantics that take into consideration inter- 
ferences and conflicts during a transmission have been proposed in [811011111^ . 
To our knowledge, parameterized verification has not been studied in previous 
work on formal models of ad hoc networks |14I16I17I13I5I7I8I10I11I1"2] . Finally, 
decidability issues for broadcast communication in unstructured concurrent sys- 
tems have been studied, e.g., in |6j, whereas verification of unreliable communi- 
cating FIFO systems have been studied, e.g., in py. 

2 A Model for Mobile Ad Hoc Networks 
2.1 Syntax and semantics 

Our model for mobile ad hoc networks is defined in two steps. We first define 
graphs used to denote network configurations and then define protocols running 
on each node. The label of a node denotes its current control state. Finally, we 
give a transition system for describing the interaction of a vicinity during the 
execution of the same protocol on each node. 

Definition 1. A Q-graph is a labeled undirected graph 7 = {V,E,L), where V 
is a finite set 0/ nodes, E C V x V is a finite set 0/ edges, and L is a labeling 
function from V to a set of labels Q. 

We use ^(7) to represent all the labels present in 7 (i.e. the image of the function 
L). The nodes belonging to an edge are called the endpoints of the edge. For an 
edge (m, v) in we use the notation u v and say that the vertices u and v 
are adjacent one to another in the graph 7. We omit 7, and simply write u v, 
when it is made clear by the context. 

Definition 2. A process is a tuple V — {Q, S, R,Qq) , where Q is a finite set 
of control states, S is a finite alphabet, R C Q x ({!!a, ??a | a £ S}) x Q is the 
transition relation, and Qo <^ Q is a set of initial control states. 
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The label !!o [resp. ??o] represents the capability of broadcasting [resp. receiving] 
a message a E E. For q € Q and a G Z", we define the set Ra(q) = € Q \ 
{q, ??a, q') G R} which contains the states that can be reached from the state q 
when receiving the message a. We assume that Ra{q) is non empty for every a 
and q, i.e. nodes always react to broadcast messages. Local transitions (denoted 
by the special label t) can be derived by using a special message m,- such that 
(g, ??mi-, q') impHes q' = q for every q G Q (i.e. receivers do not modify their 
local states). In the following, if for some state q <E Q and message a G E we 
omit the definition of transitions of the form {q, ??a, q'), we implicitly assume the 
existence of only one such transition that does not change the state (i.e. q' = g). 

Given a process V = {Q, E, R,Qq), a configuration of the corresponding 
Mobile Ad Hoc Network (MAHN) is a Q-graph and an initial configuration is 
a Qo-graph. We use C [resp. Co] to denote the set of configurations [resp. initial 
configurations] associated to V. Note that even if Q is finite, there are infinitely 
many possible configurations (the number of Q-graphs). We assume that each 
node of the graph is a process that runs a common predefined protocol defined by 
a communicating automaton with a finite set Q of control states. Communication 
is achieved via selective broadcast, which means that a broadcasted message is 
received by the nodes which are adjacent to the sender. We next formalize the 
above intuition. 

Given a process V = (Q, E, R,Qo), a MAHN is defined by the transition 
system MAHN{V) = {C, -^,Co) where the transition relation — >-C C x C is such 
that: for 7, 7' e C with 7 = {V, E, L), we have 7 7' iff 7' = (V, E', L') and one 
of the following conditions holds: 

Broadcast E' = E and 3v e V s.t. {L{v), Ua,L'{v)) G R and L'{u) G Ra{L{u)) 

for every u ^ v, and L{w) — L'{w) for any other node w. 
Movement E' CV xV a.nd L = L'. 

We use to denote the reflexive and transitive closure of — >■. 
2.2 Parameterized Reachability Problems 

A natural class of verification problems for MAHN consists in determining 
whether there exists an initial configuration from which a configuration respect- 
ing some constraints can be reached. In this work, the constraints are boolean 
combination of atoms which allow to state the presence or the absence of a 
control state in a configuration. Given a process V = {Q, E, R, Qo), a constraint 
over V is defined by the following grammar: ::= ^q > 1 \ #g = [ (pA(f \ ^V<^ 
with q G Q. We denote by CC the class of constraints and by CC[> 1] the class 
of constraints in which atomic propositions have only the form =f^q > 1 (there 
exists at least one occurrence of q). Given a configuration 7 the satisfaction re- 
lation \= for constraints is defined by (we omit boolean cases defined as usual): 
7 1= #q > 1 iff g G L(7) and 7 ^ #g = ifl[ g ^ L{j). 

The parameterized reachability problem (FRF) can then be stated as follows: 

Input: A process V with MAHN{J^) = (C,— >^,Co) and a constraint ip. 
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Output: Yes, if 370 £ Cq and 71 £ C s.t. 70 — ?>* 71 and 71 |= (p. 

If the answer to this problem is yes, we will write "P 0<^- We use the term 
parameterized to remark that the initial configuration is not fixed a priori. In 
fact, the only constraint that we put on the initial configuration is that the 
nodes have labels taken from Qq without any information on their number or 
connection links. As a special case we can define the control state reachability 
problems studied in [3J as the PRP for the simple constraint > 1 (i.e. is 
there an initial configuration that can reach a configuration in which the state 
q is exposed?). 

We also remark that according to the semantics, the number of nodes stays 
constant in each execution starting from the same initial configuration. As a 
consequence, when fixing the initial configuration 70, we obtain finitely many 
possible reachable configurations. Thus, checking if there exists 71 reachable 
from a given 70 s.t. 71 |= for a constraint 1^9 is a decidable problem. 

On the other hand, checking the parameterized version of the reachability 
problem is in general more difficult. Indeed, in [5], it is proved that PRP for 
simple constraints of the form ^q > 1 is undecidable when deleting the move- 
ment rule from the semantics (i.e. nodes communicate via selective broadcast 
but the connectivity graph never changes during a computation). In [3], it is 
also proved that PRP for the same class of simple constraints is decidable. How- 
ever, the proposed decidability proof is based on a reduction to the problem 
of coverability in Petri nets which is known to be ExpSPACE-complete |I1 8I19] . 
Since no lower-bound was provided, the precise complexity of PRP with simple 
constraints was left as an open problem that we close in this paper by showing 
that it is PTiME-complete. 

3 PRP restricted to constraints in CC[> 1] 

In this section, we study PRP restricted to CC[> 1]. Note that this class of 
constraints allow to characterize configurations in which a given set of control 
states is present but they cannot express neither the absence of states nor the 
number of their occurrences. We first give a lower bound for this problem. 

Proposition 1. PRP restricted to CC[> Ij is PTiME-hard. 

Proof. The proof is based on a LocSPACE-reduction from the Circuit Value 
Problem (CVP) which is know to be PTiME-complete [H]. CVP is defined as 
follows: given an acyclic Boolean circuit with k input variables, m boolean gates 
(of type and, or, not), a single output variable and a truth assignment for the 
input variables, is the value of the output equal to a given boolean value? 

Assume an instance of CVP C with input /output /intermediate value names 
taken from a finite set VN. We denote hy vi, . . . ,Vk € VN the inputs and by 
V € VN the output. Furthermore, each gate g is represented by its signature 
5(0, «i, *2, o) with ii, 12, o e VN and G {V, A} or by g{^, i, o) with i, o G VN. 
Finally, let 61, . . . , 6fc € {true, false} be a truth assignment for the inputs and 
b G {true, false} the value for the output to be tested. 
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The process Vc associated to C has two types of initial states: go (init nodes), 
and g (gate nodes) for each gate of C. A node in state go broadcasts (an arbi- 
trary number of) messages that model the initial assignments to input variables. 
Since the assignment is fixed, broadcasting these messages several times (or re- 
ceiving them from different initial nodes) does not harm the correctness of the 
encoding. When receiving an evaluation for their inputs (from an initial node or 
another gate node), a gate node evaluates the corresponding boolean function 
and then repeatedly broadcasts the value of the corresponding output. Since C 
is acyclic, once computed, the output value remains always the same (i.e. recom- 
puting it does not harm). Finally, reception of a value v for output z sends a go 
node into state ok. Reachability of an output value v reduces then to PRP for 
the process Vc with ok the control state to be reached. 

Formally, the process rules are defined as follows. For i e {1, . . . , A;}, we have 
rules {qo,\\{vi = bi),qo) and {qo,7?{v = b),ok). They model the assignment of 
value Vi to input Xi and reception of output value v. 

For gate g{Q,ii,i2,o) and for each assignment a = (p'i,b'2) (with 61,62 ^ 
{true, false}) of values to {ii, 12) (a constant number for each gate), we associate 
the following subprotocol: 




(Self-loops associated to receptions for which there are no explicit rules are omit- 
ted). We use a similar encoding for a not gate. 

Consider now the resulting process Vc = {Q, ^, R, {<?o}U{(7 1 5 is a gate in C}) 
with corresponding transition system MAHN = (C, — >-,Co). We have that there 
exists 7 G Co and 7' in C s.t. 7 — t-* 7' and 7' \= #ok > 1 iff 6 is the value for v 
in C with input values 61, . . . , 6^. □ 

We now show that PRP restricted to CC[> 1] is in PTime. The main idea to 
obtain this result lies in the fact that we can compute in polynomial time the set 
of control states that appear in the reachable configurations. The construction 
is based on the following key points. We first observe that, in order to decide if 
control state g can be reached, we can focus our attention on initial complete 
graphs (i.e. graphs in which all pairs of nodes are connected). Indeed, sponta- 
neous movement can be applied to non-dctcrministically transform a topology 
into any other one. Another key observation is that if a configuration 7 can be 
reached from an initial configuration 70, then for any natural k, there exists a 
complete graph which is reachable from an initial configuration 7q and in which 
each of the control states appearing in 7 appears at least k times. The initial 
configuration 70 is obtained by replicating fc-times the initial graph 70. The 
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replicated parts are then connected in all possible ways (to obtain a connected 
graph). We can then use spontaneous movement to activate and deactivate the 
different subparts in order to mimick k parallel executions of the original system. 
For what concerns constraints in CC[> 1] this property of PRP avoids the need 
of counting the occurrences of states. We just have to remember which states 
can be generated by repeatedly applying process rules. By exploiting the above 



Algorithm 1 Computing the set of control states reachable in a MAHN 
Input : V — {Q, S, R, Qo) a process 

Output : S C Q the set of reachable control states in MAHN {V) 
S ■- Qo 
oldS ■- 

while S / oldS do 
oldS ■- S 

for all {qi, !!a, 52) £ R such that qi £ oldS do 

S — SU {q2} U {g' G Q I {q, ??a, q') GRAqe oldS} 
end for 
end while 



mentioned observations, when defining the decision procedure for checking con- 
trol state reachability we can take the following assumptions: (z) forget about 
the topology underlying the initial configuration; (ii) forget about the number 
of occurrences of control states in a configuration (if it is reached once, it can be 
reached an arbitrary number of times by considering larger initial configurations 
as explained before); (iii) consider a single symbolic path in which at each step 
we apply all possible rules whose preconditions can be satisfied in the current 
set and then collect the resulting set of computed states. 

We now formalize the previous observations. Let V = (Q, i?, Qo) be a 
process with MAHN{V) ~ {C,^,Co) and let Reach('P) be the set of reachable 
control states equals to {q & Q \ 3j £ Co. 37' e C. s.t. 7 7' and q G L(7')}. 
We will now prove that Algorithm [T] computes Reach('P). Let S be the result 
of the Algorithm [1] (note that this algorithm necessarily terminates because the 
while- loop is performed at most |Q| times). We have then the following lemma. 

Lemma 1. The two following properties hold: 

(i) There exist two configurations 70 G Cq and 7 G C such that 70 — ?■* 7 and 
L(7) = S. 

(ii) S = Reach(P). 

Proof. We first prove (i). We denote by 5*0, 6*1, . . . , 5'„ the content of S after each 
iteration of the loop of the Algorithm [TJ We recall that a graph 7 = {V, E, L) 
is complete if {v,v') G E' or {v',v) G E for all v,v' G V. We will now consider 
the following statement: for all j G {0, n}, for all fc G N, there exists a complete 
graph 7j^fc = {V, E, L) in C verifying the two following points: 
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1. Lijj^k) — Sj and for each q e S'j, the set {v ^ V \ L{v) ~ q] has more than 
k elements (i.e. for each element q of Sj there are more than k nodes in 7^^^ 
labeled with q), 

2. there exits 70 G Co such that 70 — ?>* 7j,fc. 

To prove this statement we reason by induction on j. First, for j — 0, the 
property is true, because for each fc G N, the graph 70, ^ corresponds to the 
complete graphs where each of the initial control states appears at least k 
times. We now assume that the property is true for all naturals smaller than 
j (with i < n) and we will show it is true for j + 1. We consider E the set 
{(((71, !!a, 92), (9, 9')) G -R x ^ | 91,9 G Sj} and and M its cardinality. Let 
fc G N and let N = k + 2*k* M . We consider the graph 7j^jv where each control 
state present in Sj appears at least N times (such a graph exists by the induc- 
tion hypothesis). From 7j,jv, we build the graph 7j+i.fc obtained by repeating k 
times the following operations: 

— for each pair ((gi, !!a, 92}, q')) G -E, select a node labeled by qi and one 

labeled by q and update their label respectively to 92 and q' (this simulates a 
broadcast from the node labeled by qi received by the node labeled q in the 
configuration in which all the other nodes have been disconnected thanks to 
the movement and reconnected after). Note that the two selected nodes can 
communicate because the graph is complete. 

By applying these rules it is then clear that ^j.N — >* 7i+i,fc and also that 7^+1, fe 
verifies the property 1 of the statement. Since by induction hypothesis, we have 
that there exists 70 G Co such that 70 ->* 7j,Ar, we also deduce that 70 — s>* 7j+i,fc, 
hence the property 2 of the statement also holds. From this we deduce that (i) 
is true. 

To prove (ii), from (i) we have that S C Reach(7-') and we now prove that 
Reach(7') C S. Let q G Reach(7'). We show that q G S* by induction on the 
minimal length of an execution path 70 — >■* 7 such that 70 G Cq and q G ^(7). 
If the length is then q ^ Qo hence also q G S*. Otherwise, let 7' — 7 be 
the last transition of the execution. We have that there exists qi G ^(7') such 
that {qi, Ua,q) G R [or qi,q2 G ^(7') such that (gi, !!a, 93), (92, ??a, q) G R]- By 
induction hypothesis we have that qi £ S [or qi , (72 G S\. By construction, we 
can conclude that also q G S. □ 

Since constraints in CC[> 1[ check only the presence of states and do not contain 
negation, given a configuration 7 and a constraint ip in CC[> 1[ such that j \= ip, 
we also have that 7' |= for every 7' such that £(7) C L{y). Moreover, given 
a process V, by definition of Reach('P) we have that £(7) C Reach(P) for every 
reachable configuration 7, and by Lemma[T]there exists a reachable configuration 
7/ such that £(7/) = Reach('P). Hence, to check V ^ it is sufficient to verify 
whether 7/ ^ for such a configuration 7/. This can be done algorithmically 
as follows: once the set Reach('P) is computed, check if the boolean formula 
obtained from ip by replacing each atomic constraint of the form ^q > f by 
true if q G Reach('P) and by false otherwise is valid. This allows us to state the 
following theorem. 
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Theorem 1. PRP restricted to CC[> I] is FTime,- complete. 

Proof. The lower bound is given by Proposition [TJ To obtain the upper bound, it 
suffices to remark that the Algorithm [1] is in Ptime since it requires at most \Q\ 
iterations each one requiring at most |-Rp look-ups (of active broadcast /receive 
transitions) for computing new states to be included, and also that evaluating 
the validity of a boolean formula can be done in polynomial time. □ 

4 Complexity for PRP 

In this section we study the decidability and complexity of PRP for constraints in 
CC. The main difference with the problem studied in the previous section lies in 
the fact that now the constraints have the ability to specify that a given control 
state is not present in a configuration (using atomic constraints of the form 
4f^q = 0). Authorizing this kind of atomic constraints leads to a complexity jump 
as stated by the following proposition whose proof can be found in Appendix. 

Proposition 2. PRP for constraints in CC is NP-hard. 

Proof. The proof is based on a reduction of the boolean satisfiability problem 
(SAT) which is known to be NP-complete. Let <P he a boolean formula in con- 
junctive normal form over the set of variables V = {wi, . . . ,Vk}- We define a pro- 
cess V with initial state qo and the following set of rules R — {{qQ,T,v) | u G V}U 
{{qo, T,v) \ V € V}. From we build a constraint if Atp where tp is the formula 
obtained from by replacing each positive literal v by #w > 1 and each negative 
literal -^v by #TJ > 1 and V = ALi(#"i > 1 A #W = 0) V {#v, = A #W > !)• 
The former constraint is the natural encoding of the input propositional formula 
whereas the latter assigns a consistent interpretation to the control state labels 
Vi and Vi as assignments to the propositional variable Vi. The constraint ip A ijj 
is a formula in CC. 

A node in the initial state qo makes a guess for the boolean valuation of a vari- 
able V by moving to state v [resp. to TJ] if the associated chosen value is true [resp. 
false]. The formula ip ensures that no contradictory valuation is generated by 
stating that for each variable v in V only one type of control state w or TJ is chosen. 
Assume that the formula is satisfiable and let {bi, . . . , bk} G {true, false}'^ be 
an interpretation over the variables {vi, . . . , w^} that satisfies it. From an initial 
configuration 70 with k nodes, it is possible to reach a configuration 7 such that 
^ \^ ip and for all 1 < i < fc if 6^ = true then 7' |= > 1 else 7' ^ = 0. 
"f \= ip A clearly holds here. Vice versa, if there exists a computation that 
reaches a configuration that satisfies (p Aip, then we have m > k nodes whose 
labels correspond to a consistent interpretation of the variables in V and which 
satisfies <P. □ 

We will now give an algorithm in NP to solve PRP for constraints in CC. As for 
Algorithm [1] this new algorithm works on sets of control states. The algorithm 
works in two main phases. In a first phase it generates an increasing sequence of 
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sets of control states that can be reached in the considered process definition. At 
each step the algorithm adds the control states obtained from the application of 
the process rules to the current set of labels. Unlike the Algorithm [Tl this new 
algorithm does not merge different branches, i.e. application of distinct rules 
may lead to different sequences of sets of control states. In a second phase the 
algorithm only removes control states applying again process rules in order to 
reach a set of control states that satisfies the given constraint. 



Algorithm 2 Solving PRP for constraints in CC 

Input : V — {Q, E, R, Qo) a process and ip a constraint over V in CC 

Output : Does P [= ? 

Guess So, ... , Sm,Ti, . ..,T„ C Q with m,n < \Q\ 

If So % Qo return NO 

for all i G {0, . . . , m — 1} do 

If Si+i ^ postAdd(P, S^) return NO 

end for 

To = Sm 

for all i G {0, . . . , n - 1} do 

If r,+ i postDel(P,r,) return NO 
end for 

If Tn satisfies tp return YES else return NO 



For a process V — {Q, S,R,Qq) and a set 5 C Q, we define the operator 
postAdd(7', S) C 2'3 as follows: S' £ postAdd(7', S) if and only if the two fol- 
lowing conditions are satisfied: (i) S C S' and (ii) for all q' £ S' \ S, there exists 
a rule {q, l\a,q') G R such that q G S {q' is produced by a broadcast) or there 
exist rules {p, Ua,p') and {q, ??a, q') G R such that q,p £ S and p' e S' {q' is pro- 
duced by a reception). In other words, all the states in S' G postAdd(P, S) are 
either in S or states obtained from the application of broadcast/reception rules 
to labels in S. Similarly, we define the operator postDel(7', S) C 2*5 as follows: 
iS" G postDel('P, S) if and only if 5' C 5 and one of the following conditions 
hold: either S'\5" = or = {q} and there exists a rule (q, !!a, g') G R such 

that q' G S'] or [5 \ 5' = {q} and there exist two rules {p, lla,p'), {q, 11a, q') G R 
such that p,p',q' G S' {q is consumed by a broadcast)] or [5 \ S" = {p,q} and 
there exist two rules {p, lla,p'), {q, 11a, q') G R such that p' , q' G S' {p and q are 
consumed by a broadcast)]. 

Finally, we say that a set S* C Q satisfies an atom jf^q = if q ^ S* and it 
satisfies an atom ^q > I if q G S*; satisfiability for composite boolean formulae 
of CC is then defined in the natural way. We have then the following Lemma 
whose proof can be found in Appendix. 

Lemma 2. There is an exeeution of Algorithm\^ which answers YES on input 
V and LP iffV h 0<^. 

Proof. Let V = {Q,S,R,Qo) a process with MAHN(V) = (C,^,Co) and if 
a constraint over V in CC. First we assume that the Algorithm [2] answers 
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YES on input V and ip. This means that there exists 5*0, . . . , S*™, To, Ti, . . . , 
T„ such that 1 < m,n < \Q\ and 5*0 C Qq, and for all i e {0, . . . , m — 1}, 
£ postAdd('P, 5i) and Tq = Sm and for all i S {0,...,ri — 1}, T^+i G 
postDel('P, Ti). We will now prove that there exists two configurations 70 G Cq 
and 7 G C such that 70 7 and ^(7) = T„. First, as reasoning the same way 
we did in the proof of Lemma [TJ we can deduce that for any fc e N \ {0}, there 
exists 7o G Co and a complete graph 7^, — {V,E,L) in C such that L{"fi;) = Sm 
and for every q G the set {u G | L{v) = q} has more than k elements. Now 
we are going to prove that for any j G {0, . . . , n}, for all fc G N \ {0}, there is a 
complete graph 7^.^ such that: 

1. L{-fj,k) = Tj and for each q ^ Sj, the set {t; G | L{v) — q} has more than 
k elements (i.e. for each element q of Sj there are more than k nodes in jj^k 
labelled with q), 

2. there exits 70 G Co such that 70 — >* 7j,fe- 

To prove this statement we reason by induction on j. For j ~ 0, since the 
statement holds for Sm, it holds also for To — Sm- We now assume that the 
property is true for all naturals smaller than j (with j < n) and we will show it 
is true for j + 1. We consider now the set Tj \ Tj+i (assuming it is not empty, 
otherwise the property trivially holds). By property of the operator postDel, 
we have Tj+i C Tj. Now let fc G N, the graph 7^+1, t is obtained from 7j,fc+i as 
follows: 

— if Tj+i \ Tj = {q} and there exists a rule {q, !!a, q') G R such that q' G Tj+i], 
then this rule is applied to all the nodes labelled by q; first each node is 
isolated with the movement rule, then the broadcast rule is performed and 
then the complete graph is rebuilt. Note that the application of this rule 
consecutively will only increase the number of nodes labelled by q' which 
were already present in 7j,jv; 

— if Tj+i \ Tj = {q} and there exist two rules (p, Ua,p'), {q,T!a,q') G R such 
that p,p',q' G {q is consumed by a broadcast), then all the nodes 
labelled by q are isolated together with a node labelled by p so that all these 
nodes are connected, then p broadcast a sending all the other nodes in q' 
and finally the complete graph is rebuilt; as a consequence there is no more 
nodes labelled by q, the number of nodes labelled by q' and p' have increased 
and the number of nodes labelled by p has decreased of one unit; 

— if Tj+i \ Tj — {p, q} and there exist two rules {p, Ua,p'), {q, ??a, q') G R such 
that p',q' G Tj+i (p and q are consumed by a broadcast), then as for the 
second case, we first eliminate all the nodes labelled by q by isolating them 
together with one node labelled by p, and then all the nodes labelled by p 
can be eliminated the same way it is done in the first case we considered. 

By applying these rules it is then clear that jj^k+i — ^* lj+i,k and also that 
jj+i^k verifies the property 1 of the statement. Since by induction hypothesis, 
we have that there exists 70 G Co such that 70 — >■* 7j,fc+i, we also deduce 
that 7o 7j+i,fe, hence the property 2 of the statement also holds. Hence if 
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the Algorithm [5] returns YES on input V and we deduce that there exist a 
reachable configuration 7 £ C such that ^(7) — Tn and since T„ satisfies Lp, we 
also have that 7 |= hence V \= (}(p. 

We now assume that there exists two configurations 70 £ Co and 7 £ C 
such that 7o — 7 (the case 70 = 7 can be easily verified) and 7 |= (p. Hence 
there exists 71, . . . , 7^. £ C such that 70 — >^ 7i ■ ■ • 7fe with 7^. = 7 and for 
all i £ {1, . . . , fc}, exactly one broadcast rule has been applied between 7^ and 
7i_i_i. From this execution we build a sequence of set of control states (S'j')o<i<fc 
such that S*^ = L{-fo) and for all < i < fc - 1, S'^^^ = S'^ U £(7,) 7 By 
definition of the broadcast rule and of the operator postAdd, we deduce that 
S'i^i £ postAdd(7', From this sequence, we can furthermore extract a sub- 
sequence {Si)o<i<m such that for all < z < m — 1, £ postAdd(P, Si) and 
Si+i ^ Si and for all < j < k, there exists < i < m such that Sj = Si. 
Since we have Si C 5^+1 for all < i < m — 1, we deduce that necessarily 
m < \Q\. Now we build another sequence of control states (T/)o<i<fc such that 

= Sm and for all < i < fc - 1, I^+j ^Tl\E, where for all < i < fc - 1, 
Ei = {q e L{ji) \/Bj > i s.t. q £ ^(7^)}. In other words, to build T/^^^ from T/ 
we delete the control states q that are present in 7^ and will never be present 
in any "fj for j > i. We recall that by construction for all 1 < i < fc, we have 
Q Tq and hence by construction of the sequence (r/)o<i<fc we have nec- 
essarily ^(7) = T^. By definition of the broadcast rule and of the operator 
postDel, we also deduce that Tl_^_^ £ postDel('P, T/). From this sequence, we 
can furthermore extract a subsequence (ri)o<i<ri such that for all < i < n — 1, 
Ti+i £ postDel(7', Ti) and T^+i ^ Ti and for alTo < j < k, there exists <i <n 
such that Tj = Ti. Since we have T^+i C for all < « < n — 1, we deduce 
that necessarily n < \Q\ and also we have T{n) — L{j). Since 7 |= we deduce 
that Tn satisfies Lp and consequently we have proved that there is an execution 
of Algorithm [2] which answers YES on input V and ip. □ 

It is then clear that each check performed by the Algorithmic] (i.e. 6*0 C Qo and 
Si+i £ postAdd(7', S'i) and T^+i £ postAdd(7^, T^) and T„ satisfies Lp) can be 
performed in polynomial time in the size of the process V and of the formula if 
and since m and n are smaller than the number of control states in V , we deduce 
the following theorem (the lower bound being given by Proposition [5]) ■ 

Theorem 2. PRP for constraints in CC is -complete. 

5 Complexity of the Cardinality Reachability Problem 

In this section we study another problem, we call CRP, in which we ask the ques- 
tion whether we can reach a configuration with a given number of occurrences 
for each control state. Formally, given a process V = {Q, S, R, Qo), a cardinality 
constraint over P is a function card : Q — N. We say that a configuration 7 
satisfies a cardinality constraint card (denoted by 7 h card) if for each g £ Q the 
number of occurrences of g in 7 is equal to card{q). The Cardinality Reachability 
Problem (CRP) can then be stated as follows: 
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Fig. 1. Simulation of a transition t with 't = {pi, . . . ,Pn} and t' = {qi, . . . , Qm}- 



Input: A process V with MAHN{V) = (C,— >,Co) and a cardinality constraint 
card. 

Output: Yes, if 370 G Cq and 71 G C s.t. 70 — 71 and 71 h card. 

Note that this problem seems easier than PRP because the cardinality constraint 
fixes the number of nodes of an initial configuration. In fact, if there is a reachable 
configuration which satisfies a cardinality constraint card, we know that this 
configuration and the initial configuration from which the computation starts 
have Sq^Qcard{q) nodes. We will show that this is not the case as CRP is 
PSPACE-complete. First we prove the lower bound. 

Proposition 3. CRP is PSPACE-hard. 

Proof. We use a reduction from reachability in 1-safe Petri nets. A Petri net 
A'' is a tuple A^ = (P, T, mo), where P is a finite set of places, T is a finite 
set of transitions t, such that *t and t* are multisets of places (pre- and post- 
conditions of t), and mo is a multiset of places that indicates how many tokens 
are located in each place in the initial net marking. Given a marking m, the 
firing of a transition t such that *t C m leads to a new marking m' obtained 
as m' — m\' tut*. A Petri net P is 1-safe if in every reachable marking every 
place has at most one token. Reachability of a specific marking mi from the 
initial marking mo is decidable for Petri nets, and PSPACE-complete for 1-safe 
nets [2 . 

Given a 1-safe net A^ — (P, T, mo) and a marking mi, we encode the reach- 
ability problem as a CRP problem for the process P and cardinality constraint 
card defined next. For each place p G P, we introduce control states pi and pq to 
denote the presence or absence of the token in p, respectively. Furthermore, we 
introduce a special control state ok. The control state is used to control the net 
simulation. Transitions of the controller are depicted in the upper part of Fig. 
[T] The first rule of the controller selects the current transition to simulate. The 
simulation of the transition t with *t = {pi, . . . and t* — {qi, . . . , q^} is 
defined via two sequences of messages. The first one is used to remove the token 
from pi, . . . ,p„, whereas the second one is used to put the token in . . . , Qm,- 
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To guarantee that every involved place reacts to the protocol — i.e. messages 
are not lost — the controller waits for an acknowledgment from each of them. 
Transitions of places are depicted in the lower part of Fig. [TJ It is not restrictive 
to assume that there is only one token in the initial marking mo (otherwise we 
add an auxiliary initial place and a transition that generates mo by consum- 
ing the initial token). Let p° be such a place. We define the initial states Qq 
of the process V as {p°,ofc} U {po \ p ^ P \ in order to initially admit 

control states representing the controller, the presence of the initial token, and 
the absence of tokens in other places. The reduction does not work if there are 
several copies of controller nodes and/or place representations (i.e. pi,poi ■ • ■) in- 
teracting during a simulation (interferences between distinct nodes representing 
controllers/places may lead to incorrect results). However we can ensure that the 
reduction is accurate by checking the number of occurrences of states exposed 
in the final configuration: it is sufficient to check that only one controller and 
only one node per place in the net are present. Besides making this check, the 
cardinality constraint card should also verify that the represented net marking 
coincides with mi. Namely, we define card as follows: 



card{ok) = 1 A Vt G T.card{okt) = A 

ytGT,qep{card{at,q) = A card{bt,q) = A card{a^f) = A card{h'i'^^) = O) 

Since the number of nodes stays constant during an execution, the post-condition 
specified by card is propagated back to the initial configuration. Therefore, if the 
protocol satisfies CRP for card, then in the initial configuration there must be 
one single controller node with state ofc, and for each place p one single node 
with either state pi or state p^. Under this assumption, it is easy to check that 
a run of the protocol corresponds precisely to a firing sequence in the 1-safe 
net. Thus an execution run satisfies card if and only if the corresponding firing 
sequence reaches the marking mi. □ 

We now show that there exists an NPSpace algorithm to decide CRP. Let 
V — {Q, U, R, Qq). Since the size of a graph never changes during an execution, 
a cardinality constraint fixes the size of the initial configuration given by the sum 
K of constants in card. The algorithm guesses an execution 70 — > 7i — > ■ • ■ — ^ 7n 
traversing pairwise distinct configurations, s.t. 70 is a complete graph with K 
nodes in initial states, and then checks if card is satisfied in 7„. Each config- 
uration can be stored in polynomial space. Since the size of all configurations 
is K we need at most K^'^^ (all possible combinations of states over K nodes). 
Thus we have a non-deterministic algorithm working in polynomial space. Since 
NPSpace=PSpace, and in the light of the lower bound indicated by Proposi- 
tion [21 we can conclude with the following theorem. 

Theorem 3. CRP is P Space- complete. 



Vp G mi,t G T. 
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6 Conclusion 



We have studied the complexity of reachability problems for mobile ad hoc net- 
work protocols in which target states are represented by using constraints check- 
ing the presence, absence, or counting the number of occurrences of control states 
in a configuration. We have given algorithms for different classes of constraints. 
For constraints that simply checks the presence of control states we have shown 
that reachability is PTiME-complete, while when also constraints checking the 
absence are considered the problem turns out to be NP-complete. Finally, for 
constraints counting the number of occurrences reachability becomes PSpace- 
complete. Our analysis significantly improves the decidability results given in [3] 
by reduction to problems which are known to be at least ExpSPACE-hard. 
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